Rewterz Threat Alert – Agent Telsa Keylogger & NanoCore RAT Malware – Indicators of Compromise
July 1, 2019Rewterz Threat Alert – Ratsnif – OceanLotus’s New Network Vermin
July 2, 2019Rewterz Threat Alert – Agent Telsa Keylogger & NanoCore RAT Malware – Indicators of Compromise
July 1, 2019Rewterz Threat Alert – Ratsnif – OceanLotus’s New Network Vermin
July 2, 2019Severity
Medium
Analysis Summary
A malvertising campaign being used to distribute the GreenFlash Sundown exploit kit. The compromise begins when the user visits a website hosting malvertising ads, in this case, an online video conversion tool. The malicious ad on the website is a gif containing obfuscated JavaScript that redirects a user to a remote site. This site eventually loads a Flash object from the website that performs an additional redirect to a domain associated with the GreenFlash Exploit Kit. It exploits a Flash vulnerability in order to execute PowerShell on a victim system. The PowerShell first performs checks to make sure that the host is not a virtual machine. If the checks pass, the exploit kit drops and executes its payloads on the system. It is found that the SEON ransomware is delivered to encrypt the victim’s files. At the same time, the Pony stealer and a coin miner are also executed on the system. The researchers note that this campaign largely impacted North America and Europe, which is unusual as the GreenFlash Sundown EK had previously only affected Asian countries.
Impact
File encryption
Indicators of Compromise
URLs
- http[:]//accomplishedsettings[.]cdn-cloud[.]club/
- http[:]//adsfast[.]site/
- https[:]//fastimage[.]site/
- ad4989[.]world
- adsfast[.]info
- adsfast[.]site
- cdn-cloud[.]club
- fastimage[.]site
Malware Hash (MD5/SHA1/SH256)
- 58002d0b8acd1a539503d8ea02ff398e7ad079e0b856087f0ca30d767588be4e
- 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b
- 9ff00b46b949bd76923137c0b0ed3cd4e252d6e88a55e9b4798525fa40164850
- a89591555b9acb65353c2b854e582bc41db2fbc0eda2210b89a877d1862084df
- c772bdf4bd05ab63d90f4399e97a1d7eec2891c221739e3b843f9a8c9eddf4d3
- aeb073b5ee2e083aba987c7fcaab7265aabe6e5e2cade821db6d46e406e21e95
Remediation
Block all threat indicators at your respective controls.